[14718] in Kerberos
Re: Kerberos telnet and today's telnet vulnerability announcement
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Tue Jul 24 17:56:09 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 24 Jul 2001 21:45:51 GMT
Message-ID: <9jkqaf$16q$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <3B5DE79C.F5E14EDC@cats.ucsc.edu>,
John Rudd <jrudd@cats.ucsc.edu> wrote:
:
:
: So, most of my machines don't use the standard vendor telnet, but
: instead use one form or another of a kerberized telnet. Does anyone
: know if today's announcement applies to kerberized telnetd's?
:
: http://www.securityfocus.com/bid/3064
Its hard to tell. I can't gain access to the patch so I don't know
if it is something that was fixed in past releases.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch
From the description of the hole it seems that it would be very difficult
to exploit this hole. The overflow that occurs is produced with data
generated by the telnet daemon and not the client.
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
